From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 4 Sep 2025 12:02:09 +0000 (+0200)
Subject: gpt-auto-generator: Pass verity settings to dissect_loop_device()
X-Git-Tag: v258-rc4~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8211e88c7d6feea73fe468e4aecf7b76367d8a3;p=thirdparty%2Fsystemd.git

gpt-auto-generator: Pass verity settings to dissect_loop_device()

The image policy might be configured to enforce verity protection on the
root or usr partitions. Currently, we get around that by ignoring the root
and usr partitions, given that by the time this code runs in the rootfs these
will have already been mounted.

However, we can't actually ignore the root partition, as we will enable
growfs and/or remounting the root partition rw based on the root partition
we find in the image.

Instead, let's just read any roothash= or usrhash= from the kernel command line
and pass in a populated verity settings struct into dissect_loop_device()
instead of NULL. If NULL is passed, any verity partitions in the image are
ignored. If we pass the default verity settings, the wrong verity partitions might
potentially be picked up, so we make sure to pass a fully populated instance. This
should be sufficient to satisfy any configured image policy verity protection checks.

Reverts 6d6538fb3f46b01dded23cc7eef5ed5ffe8b38e9

Fixes #38788
---

diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c
index 029e99a3038..8ed8f15bbd9 100644
--- a/src/gpt-auto-generator/gpt-auto-generator.c
+++ b/src/gpt-auto-generator/gpt-auto-generator.c
@@ -19,6 +19,7 @@
 #include "fstab-util.h"
 #include "generator.h"
 #include "gpt.h"
+#include "hexdecoct.h"
 #include "image-policy.h"
 #include "initrd-util.h"
 #include "loop-util.h"
@@ -46,6 +47,7 @@ static const char *arg_dest_late = NULL;
 static bool arg_enabled = true;
 static GptAutoRoot arg_auto_root = _GPT_AUTO_ROOT_INVALID;
 static GptAutoRoot arg_auto_usr = _GPT_AUTO_ROOT_INVALID;
+static VeritySettings arg_verity_settings = VERITY_SETTINGS_DEFAULT;
 static bool arg_swap_enabled = true;
 static char *arg_root_fstype = NULL;
 static char *arg_root_options = NULL;
@@ -1063,15 +1065,6 @@ static int enumerate_partitions(dev_t devnum) {
         _cleanup_free_ char *devname = NULL;
         int r;
 
-        static const PartitionDesignator ignore_designators[] = {
-                PARTITION_ROOT,
-                PARTITION_ROOT_VERITY,
-                PARTITION_ROOT_VERITY_SIG,
-                PARTITION_USR,
-                PARTITION_USR_VERITY,
-                PARTITION_USR_VERITY_SIG,
-        };
-
         assert(!in_initrd());
 
         /* Run on the final root fs (not in the initrd), to mount auxiliary partitions, and hook in rw
@@ -1087,14 +1080,6 @@ static int enumerate_partitions(dev_t devnum) {
                 return log_debug_errno(r, "Failed to get device node of " DEVNUM_FORMAT_STR ": %m",
                                        DEVNUM_FORMAT_VAL(devnum));
 
-        _cleanup_(image_policy_freep) ImagePolicy *image_policy = NULL;
-        r = image_policy_ignore_designators(
-                        arg_image_policy ?: &image_policy_host,
-                        ignore_designators, ELEMENTSOF(ignore_designators),
-                        &image_policy);
-        if (r < 0)
-                return log_debug_errno(r, "Failed to mark root/usr designators as ignore in image policy: %m");
-
         /* Let's take a LOCK_SH lock on the block device, in case udevd is already running. If we don't take
          * the lock, udevd might end up issuing BLKRRPART in the middle, and we don't want that, since that
          * might remove all partitions while we are operating on them. */
@@ -1104,9 +1089,9 @@ static int enumerate_partitions(dev_t devnum) {
 
         r = dissect_loop_device(
                         loop,
-                        /* verity= */ NULL,
+                        &arg_verity_settings,
                         /* mount_options= */ NULL,
-                        image_policy,
+                        arg_image_policy ?: &image_policy_host,
                         arg_image_filter,
                         DISSECT_IMAGE_GPT_ONLY|
                         DISSECT_IMAGE_USR_NO_ROOT|
@@ -1204,6 +1189,25 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
                 arg_auto_root = GPT_AUTO_ROOT_OFF;
                 log_debug("Disabling root partition auto-detection, roothash= is set.");
 
+                arg_verity_settings.designator = PARTITION_ROOT;
+
+                free(arg_verity_settings.root_hash);
+                r = unhexmem(value, &arg_verity_settings.root_hash, &arg_verity_settings.root_hash_size);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to parse roothash= from kernel command line: %m");
+
+        } else if (streq(key, "usrhash")) {
+
+                if (proc_cmdline_value_missing(key, value))
+                        return 0;
+
+                arg_verity_settings.designator = PARTITION_USR;
+
+                free(arg_verity_settings.root_hash);
+                r = unhexmem(value, &arg_verity_settings.root_hash, &arg_verity_settings.root_hash_size);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to parse usrhash= from kernel command line: %m");
+
         } else if (streq(key, "rootfstype")) {
 
                 if (proc_cmdline_value_missing(key, value))